API Token AuthenticationAPI Token Authentication
Try For Free

Working With OpenPGP Encrypted Tokens

Introduction

When other people create tokens for you they might ask you for your public OpenPGP key.
This will allow them to encrypt the plaintext token so that it can be transmitted to you more securely. You'll then receive a PGP message like the below which you can decrypt using your private key.

  1. -----BEGIN PGP MESSAGE-----
  3. hQIMA7scARKwit0KAQ//SMVdyeGCZqqf+U00sx++SWxtFiuRmfMyJkmunazwNpm
  4. jpPCjXruh88hLZ09p2Gc+h0hyhFCE+JJY7gx+CCWxMZ1KZlU8oY/Ef8Bvh1raeJ
  5. dOlqByYjmUo8WvaxXQ4/dCtNIKk0VkQgp+LNxAc3b0YZFSTkS6qQtMkmIKM6qBZ
  6. m+NVtmcWMdU3vG3ZH4Vo/qQ/PsFqTGDQKiZuHPEjW5LP6hzz0zprfv5NRDjxs6w
  7. uNRvIdFo98iWkrBsgNVWyYFlHTh5BzZFM4vhichZU4KZ9XsNTruWslr/Bss3FTQ
  8. LCu6y/t3KUh275ZT9D5fGy4BgCQkLpdwcs8h0SzX2KGZAxBg/LqsgWSarmW2TIz
  9. dRSnftAu0eyZnuS6yJBgZBMbzJtVq/oNULqfWpJOL9OKiiPFtAkqXrU9YRZlmNQ
  10. m6naxLMEZtfm86WcFTpHd5fy/GQj1DQF50YnkGQdPKd5LHN9BMOwxLT9vh2baYw
  11. XR51o5dzn9AVCOKDegHl0D6jes0E8gGw8jjJuiqDAZHqRNFplwOXjo69ULxtvj3
  12. 2C0LIiB8GoTSeorlrL2Tgu6SHkTm6sxnWRGhkIGJRX1xQPro8U5+7T8ATxdXta5
  13. 8/QzGD+Awped6hT7iJgXRQLrjJfp5BKNVCeClxsRPYwipzXryZ0PYPkkQpmJOUw
  14. 0bu2WgCtT3SXwH91se6VP+nW8v82e3HR2Hxrx8x9lS8RRljbbkH4RhgqBdSdmRu
  15. cyconMIx6Qq0HM3/9bSyabVYHVifGr1DLazUKi0F2wNjISXhe5yS5BzHX7qssZ0
  16. gI730yHYleFmm
  18. -----END PGP MESSAGE-----

OpenPGP Prerequisites

Download And Installation

There is a cross-platform frontend for OpenPGP which is recommended on the OpenPGP website.
It's called GPG Frontend and you can download it here:  https://www.gpgfrontend.pub/#/.
It only runs on 64Bit operating systems and also requires GnuPGP to be installed on the system, otherwise, there will be an error message when you start GPG Frontend.
We found that on macOS the error message only went away when using the GnuPG for OS X Installer for GnuPG provided via https://gnupg.org/download/index.html.

Installing GnuPGP is different for each operating system, you can find more help for other OS and also the installation of the frontend itself here: https://www.gpgfrontend.pub/#/quick-start?id=install-amp-run.

Creating A Public Key Using GpgFrontend

macOS

Start the app and open the Keys/ Manage Keys settings:

image2022-4-12_13-51-42.png

Click on Generate and New Keypair

image2022-4-12_13-52-50.png

Provide a Name and Email Address, click OK and protect the key pair with a password when prompted.
Make sure the Key usage supports Encryption.

image2022-4-25_10-14-44.png

When creating key pairs with the GUI, there seems to be no way to create the key type ED25519 for encryption key usage.
Thus, we create a 4096 bit RSA key for this example. The GnuPG command-line tool normally creates the aforementioned key type with proper usage by default. Please read here how.


You'll then see the new key pair in your Key Toolbox

image2022-4-25_10-18-44.png

To provide the public key to the person that creates the token for you, you can either go back to Manage Keys and export it to the clipboard
image2022-4-25_10-19-45.png

or you right-click on the pair in the Key ToolBox to show the key details

 image2022-4-25_10-22-47.png

and export it to a file from there

image2022-4-25_10-23-26.png

Windows

The Windows version is nearly identical to the MacOS one. Please refer to the above instructions.

Decrypting the PGP Message Using GpgFrontend

Once you got back the encrypted token as a PGP message you can decrypt it with the same tool.

image2022-4-12_14-24-33.png

After entering the passphrase for your key pair/ private key the PGP message gets replaced with the token:

image2022-4-12_14-26-32.png

Creating A Public Key Using Commandline

The procedure is the same across all platforms and requires GnuGPG to be installed, as mentioned earlier.
On macOS and Linux you can use the gpg command from your terminal, on Windows from the command shell (cmd).

Create Key Pair

Create the pair with the below command and select the key type. The default selection should be the best choice in most cases.
The below example is from macOS with GnuPG 2.3.4 installed. I chose (9)

  1. gpg --full-generate-key
  3. Please select what kind of key you want:
  4. (1) RSA and RSA
  5. (2) DSA and Elgamal
  6. (3) DSA (sign only)
  7. (4) RSA (sign only)
  8. (9) ECC (sign and encrypt) *default*
  9. (10) ECC (sign only)
  10. (14) Existing key from card

Select the elliptic curve, the default is the best choice again.

  1. Please select which elliptic curve you want:
  2. (1) Curve 25519 *default*
  3. (4) NIST P-384
  4. (6) Brainpool P-256

Specify how long the key should be valid, i.e. 1y for one year and confirm

  1. 0 = key does not expire
  2. <n> = key expires in n days
  3. <n>w = key expires in n weeks
  4. <n>m = key expires in n months
  5. <n>y = key expires in n years

Provide a real name, passwords and optional comment and confirm.

  1. GnuPG needs to construct a user ID to identify your key.
  3. Real name: Tye Norton
  4. Email address: tn@company.com
  5. Comment: API Token Encryption

You'll be prompted to enter and confirm a passphrase for the private key portion afterwards.
This is the output after completing these steps:

  1. gpg: revocation certificate stored as '/Users/tyenorton/.gnupg/openpgp-revocs.d/C3E964E9329B807F9D495CB2392B0C457338C4AE.rev'
  2. public and secret key created and signed.
  4. pub ed25519 2022-04-20 [SC] [expires: 2023-04-20]
  5. C3E964E9329B807F9D495CB2392B0C457338C4AE
  6. uid Tye Norton (API Token Encryption) <tn@company.com>
  7. sub cv25519 2022-04-20 [E] [expires: 2023-04-20]

Export The Public Key

The person who encrypts the token for you requires the public key. Here is how to export that key using the command line.

Exporting The Only Public Key 

If you only created one key pair, you can export the public key like this:

  1. gpg --armor --output myGpgPublicKey.pub --export

Exporting One From Many Public Keys

If you have other key pairs already and created a new one as described above, you can export that key by adding the public key identifier at the end:

  1. gpg --armor --output myGpgPublicKey.pub --export C3E964E9329B807F9D495CB2392B0C457338C4AE

If you don't know which public key is which, run the following to get a list. The identifier is displayed in the second line of the pub key

  1. gpg --list-keys
  3. gpg: checking the trustdb
  4. gpg: marginals needed: 3 completes needed: 1 trust model: pgp
  5. gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u
  6. gpg: next trustdb check due at 2023-04-20
  7. /Users/tyenorton/.gnupg/pubring.kbx
  8. ------------------------------
  9. pub ed25519 2022-04-20 [SC] [expires: 2023-04-20]
  10. C3E964E9329B807F9D495CB2392B0C457338C4AE
  11. uid [ultimate] Tye Norton (API Token Encryption) <tn@company.com>
  12. sub cv25519 2022-04-20 [E] [expires: 2023-04-20]
  14. pub ed25519 2022-04-20 [SC]
  15. BB88BDC1F99DAA8C3936C1D12067B8FC7CB362B3
  16. uid [ultimate] Tye Norton (Other Purposes) <tn@company.com>
  17. sub cv25519 2022-04-20 [E]

Decrypting the PGP Message Using the Commandline

There are various ways, but not all of them will work on every type of command line.


What should always work is to paste the encrypted token/ PGP message to a text file first and decrypt the file.
You'll get prompted for the private key passphrase and eventually see the token on that last line:

  1. gpg -d token.txt
  2. gpg: encrypted with cv25519 key, ID F6B55BC01E713AD8, created 2022-04-20
  3. "Tye Norton (API Token Encryption) <tn@company.com>"
  4. gpg: Note: sender requested "for-your-eyes-only"
  5. CVPgoOkvV6pL4kbhaNEMYee3OHl7YBcbsK34Ed


Other methods require the PGP message to be copied to the clipboard first. Please read the additional comment for each method below:

  1. # macOS
  2. pbpaste | gpg -d
  4. # Linux 1
  5. echo '-----BEGIN PGP MESSAGE-----
  7. hF4D9rVbwB5xOtgSAQdAyMFGkdS3oUfGNMHGaZB6r85/XRSsfeUyOSGXEZdzcEAw/JuBcLUhMJoSWaH/lp0i28x5Cgqs6XNAej/890yIm39/12Mz7VCCRlMExmYtaM0I0mABLAJOen5sLvZTfUkQlxlvvYBdfZBjwoTX2X6x/lHhhjPo36NoSmibS/4/tbJrsihHr85NidtMM+ltBC6qhWdtouPWvor4ZlnY2Da6or+lomqkRpjDyKXQeiaZVfAvQ94=
  9. -----END PGP MESSAGE-----' | gpg -d
  11. # Linux 2
  12. echo '-----BEGIN PGP MESSAGE-----
  14. hF4D9rVbwB5xOtgSAQdAyMFGkdS3oUfGNMHGaZB6r85/XRSsfeUyOSGXEZdzcEAw/JuBcLUhMJoSWaH/lp0i28x5Cgqs6XNAej/890yIm39/12Mz7VCCRlMExmYtaM0I0mABLAJOen5sLvZTfUkQlxlvvYBdfZBjwoTX2X6x/lHhhjPo36NoSmibS/4/tbJrsihHr85NidtMM+ltBC6qhWdtouPWvor4ZlnY2Da6or+lomqkRpjDyKXQeiaZVfAvQ94=
  16. -----END PGP MESSAGE-----' > token.txt; gpg -d token.txt

On Windows, the easiest way to do this is using Power Shell because it has built-in functionality to read from the clipboard.

  1. Get-Clipboard | gpg -d

If you can't use Power Shell, paste the PGP message to a text file first and decrypt it afterwards

  1. gpg -d token.txt



This site uses cookies to deliver its service & to analyse traffic. By browsing this site, you accept the privacy policy.

Our Wiki uses cookies

We want to give you the best possible experience on our website. For this we use technically required cookies and, if you agree, cookies for analysis and marketing purposes. You can find more information about the cookies in our Privacy Policy. By tapping ‘Accept All,’ you consent to the use of these methods by us and third parties.

Necessary
Always Active
Analytics
Advertisement
Other